Improving compliance against risk management standards

The Security of Critical Infrastructure Act, or SOCI Act, mandates creating the Critical Infrastructure Risk Management Program (CIRMP) for essential systems like water, electricity, energy, fuel, food, gas, hospitals, freight, domains, data storage, and financial markets. The legislation aims to improve risk management by collaborating with existing frameworks or requiring new ones. CIRMPs must identify and address potential hazards, considering various factors. Organisations are required to conduct evaluations and implement plans for effective risk management and resilience.

With the introduction of the new SOCI legislation, Central Coast Council took a proactive role to improve operational standards, security and resilience. To comply with the SOCI Act requirements, they had to review and address vulnerabilities to all likely hazards, including supply chain, cyber, personnel, and physical or natural hazards.

Beyond legislative compliance, Water and Sewer’s goal was to improve internal systems to ultimately benefit the community, who relies on this critical infrastructure.

GHD Advisory was commissioned by Water and Sewer to support with compliance for the SOCI Act by incorporating CIRMP.

Our initial step in this journey was the assessment phase. We delved into their asset and risk registers, while conducting a comprehensive desktop study. In parallel, we reviewed their business continuity plans, comparing them to the legislative requirements.

We conducted a gap analysis that identified areas in which adjustments were necessary to ensure compliance. We organised workshops to collaboratively address these gaps and to refine our approach. A repeated similar process was applied on a smaller group, particularly focusing on risks.

Our team outlined what their critical infrastructure risk management program should encompass. Additionally, we aided them in crafting a board paper, an essential step in gaining the support of the organisation's top tier, a prerequisite for compliance.

Today, the entity is among the few utilities who have chosen to embark on this voluntary journey this year. Notably, they now stand at the forefront, setting an example as a regional water utility deeply committed to critical infrastructure security and compliance. Their diligence in adhering to the SOCI Act reflects their heightened awareness of threats, vulnerabilities, and the associated risks that they must address comprehensively.

We guided them through this approach to meet deadlines for submissions of compliance, 90-days within the end of the financial year.

They have successfully transitioned from a state of relative uncertainty, where centralised knowledge on enhancing the resilience and security of their assets was lacking, to a position where they possess a clear understanding of what requires attention and how to address it in the upcoming years to maintain ongoing compliance.

Our tailored approach to their desktop materials, drawing upon our knowledge in threat and vulnerability analysis, was instrumental in enhancing their risk management program methodology. This approach allowed us to adeptly interpret and implement new legislation. The level of interpretation proves indispensable as, despite the wealth of available guidance materials, it frequently demands a nuanced comprehension.